Haventools® PE Explorer
1.80
By +Jonathan
*Price: $100
*URL: www.heaventools.com/
*Protection:
Enter the SN otherwise 30 days trial.
OK. As usual we adjust the time so that it
will expire. Notice that I CAN NOT break point on the wrong SN box for it was
encrypted, and also it does not have specific message box for wrong SN. (And
actually the message box is divided into two parts: one is “register.htm”,
another one is “terminate”)
Picture (1)
So
let load it into W32Dasm. (Remember that it is wise for new +cracker to save it
as an project) Let’s first find “registerautomation”
in string data and click on that.
:00431192 8B45FC mov eax, dword ptr
[ebp-04]
:00431195 8B8080000000 mov eax, dword
ptr [eax+00000080]
:0043119B 85C0
test eax, eax
:0043119D 7C05 jl 004311A4
:0043119F 83F820 cmp eax, 00000020 *Is
the SN 32 or more digits long?*
:004311A2 7E40 jle 004311E4 *No, then beggar off*
*
Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0043119D(C)
:004311A4 8B45F8 mov eax, dword
ptr [ebp-08]
:004311A7 33D2 xor edx, edx
:004311A9 89500C mov dword ptr
[eax+0C], edx
*
Possible StringData Ref from Code Obj
->"RegisterAutomation"
|
:004311AC 6840144300 push
00431440
:004311B1 8B45FC mov eax, dword ptr
[ebp-04]
:004311B4 8B8080000000 mov eax, dword ptr
[eax+00000080]
:004311BA 50
push eax
Notice
that it will not break if you place a BP (break Point) here. But we know the SN
must be 32 or more digits long J Now copy all the string
data to your word processor and search “TRIAL”
since there always display “trial version” when start up. Double-click
on that:
:0052636E 8D55BB lea edx, dword ptr
[ebp-45]
:00526371 B920000000 mov ecx, 00000020 *Is the SN 32
or more long?*
:00526376 8B45E0 mov eax, dword
ptr [ebp-20]
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
There
are more instructions!!!—skip them
*
Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00526438(C)
:00526429 89D8
mov eax, ebx
:0052642B 300416 xor byte ptr [esi+edx],
al
:0052642E D1CB ror ebx, 1
:00526430 81F3A5A5A5A5 xor ebx, A5A5A5A5
:00526436 42
inc edx
:00526437 49
dec ecx
:00526438 75EF
jne 00526429
:0052643A 61
popad
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
There are more instructions—let’s skip
*
Referenced by a (U)nconditional
or (C)onditional Jump at Addresses:
|:005262F3(C), :00526314(C)
|
:00526472 B8A8CC5400 mov eax, 0054CCA8
*
Possible StringData Ref from Code Obj
->"trial version"
|
:00526477 8B15C0CC5400 mov edx, dword
ptr [0054CCC0]
:0052647D E852D5EDFF call
004039D4
:00526482 B8ACCC5400 mov eax, 0054CCAC
So, let’s disable these conditional jumps: 005262F3 & 00526314
:005262EE E819DAEDFF call
00403D0C
:005262F3 0F8579010000 jne 00526472
*turn into je*
:005262F9 8D4DB4 lea ecx, dword ptr [ebp-4C]
:005262FC BA08000000 mov edx, 00000008
:00526301 8B45F4 mov eax, dword ptr
[ebp-0C]
:00526304 E81310EEFF call 0040731C
:00526309 8B55B4 mov edx, dword
ptr [ebp-4C]
:0052630C 8B45E4 mov eax, dword
ptr [ebp-1C]
:0052630F E8F8D9EDFF call
00403D0C
:00526314 0F8558010000 jne 00526472 * turn into je*
Now
run the PE Explorer and type your name; it still end but you can see your name
being typed.
That
means there exist a CALL which is NULL. OK. “ctrl + L” call debugger and set a breakpoint on
0052636E, and
then if you type your name and dummy SN longer than 32 digits, it will break.
After break, you can merely press F-6 in order to observe. You will then detect
that it repeats to the beginning on 00526438 so let’s break again on 0052643A. About 1 minute, it breaks on EIP 0052772B:
At
0052772B it displays the Picture (1) which means Game Over!!! So let’s quickly
crack this one:
Search: DA ED FF 0F 85 79 01 00 00
8D 4D B4
Modify:
===========84=================
Search: E8 F8 D9 ED FF 0F 85 58 01 00 00
Modify: ===============84=========
Search: B8 98 31 55 00 FF 55 F4
61 33 C0
Modify: =========== EB
02=========
Oh once again readers, PLEASE write some letter to me
(p.s. This essay took me about 5 hours to finish!!)
E-mail +Jonathan : aikawa-nanase7511@juno.com